Source: www.infosecurity-magazine.com – Author:
A phishing campaign delivering a new strain of malware, MostereRAT, has been uncovered by cybersecurity researchers. The Remote Access Trojan (RAT) targets Microsoft Windows systems and gives attackers complete control over compromised machines.
According to FortiGuard Labs, which discovered the threat, what sets this campaign apart is its layered use of advanced evasion techniques. The malware is written in Easy Programming Language (EPL), a Chinese-based coding language rarely used in cyberattacks, and relies on multiple stages to hide malicious behavior.
It can disable security tools, block antivirus traffic and establish secure communications with its command-and-control (C2) server using mutual TLS (mTLS).
Attack Chain and Delivery
The campaign begins with phishing emails that appear to be legitimate business inquiries, mainly targeting Japanese users. Once a victim clicks a link, a Word document containing a hidden archive is downloaded. That file directs the user to open an embedded executable, which launches the malware.
The executable decrypts its components and installs them in the system directory. Services are then created to ensure persistence, with some running under SYSTEM-level privileges for maximum access. Before closing, the program displays a fake message in Simplified Chinese suggesting the file is incompatible, a tactic meant to encourage further spreading.
Lauren Rucker, senior cyber threat intelligence analyst at Deepwatch, said: “Given the initial attack vector is phishing emails leading to malicious links and website downloads, browser security is a critical area for defense.”
She added that enforcing policies that restrict automatic downloads and limit user privileges can help prevent escalation to SYSTEM or TrustedInstaller.
MostereRAT uses several methods to interfere with security protections. It can disable Windows Update, terminate antivirus processes and block security tools from communicating with their servers.
The malware also escalates privileges by mimicking the TrustedInstaller account, one of the most powerful on Windows systems.
“While this malware uses some creative techniques to evade detection by chaining together novel scripting languages with trusted remote access tools, it is still following a common pattern of exploiting overprivileged users and endpoints without application control,” explained James Maude, field CTO at BeyondTrust.
Capabilities and Remote Access Tools
Once established, the RAT supports a wide range of functions, including:
-
Keylogging and system information collection
-
Downloading and executing payloads in EXE, DLL, EPK or shellcode formats
-
Creating hidden administrator accounts for persistence
-
Running remote access tools like AnyDesk, TightVNC and RDP Wrapper
FortiGuard Labs noted that parts of the malware’s infrastructure were previously linked to a banking trojan reported in 2020. Its evolution into MostereRAT highlights how threat actors continue to refine techniques to evade modern detection systems.
Maude stressed the importance of reducing privileges and controlling applications. “If you remove the local administrator privilege, you vastly reduce the attack surface and limit the impact of a malware infection,” he concluded.
Original Post URL: https://www.infosecurity-magazine.com/news/rat-targets-windows-users-stealth/
Category & Tags: –
Views: 2
